How do I block malicious User-Agents with Cloudflare?

User-Agent (UA) Rules

User Agent rules match against the User-Agent request header sent by the browser or application accessing your site. UA rules are applied against the entire domain. Wildcards (*) are not supported in UA rules.

UA rules are applied after URL lockdown rules. If you permit an IP address using lockdown, the UA rules will be skipped for the matching URLs.

UA rules can have one the following actions applied: block, challenge (i.e., CAPTCHA), js_challenge.